The oil and gas industries must update security for their information technology and telecommunication infrastructures. Technologies are needed that could contain the impacts of an information system intrusion or cyberattack so that the complete system or dependent infrastructures remain relatively unaffected. Another focus should be identifying and managing risk to infrastructures and information, with emphasis on impact, consequences, and effect across multiple components and operators.
For example, in the energy industries, SCADA systems are increasingly being linked with other systems (such as electronic business systems) through the Internet, and they are thus becoming more vulnerable to cyberintrusion. The SCADA security issue is widely felt not only in the energy industries but in virtually all industries—in fact, in operating facilities of all types. Cost-effective solutions to SCADA security problems are therefore widely, and urgently, needed (see Recommendation 6.9). The public- and private-sector R&D aimed at broad application in this area should be leveraged to address unique issues of the oil and gas industries. As in other such endeavors, industry involvement could be coordinated through a body like the National Petroleum Council, with federal management through DOE.
The oil and gas industries are each made up of a few very large companies and many smaller companies. The large companies make some investment in R&D for security improvement, while the smaller companies typically do not. Even for large companies, however, it is difficult to justify investing in security R&D at the level society might desire or, given their highly competitive nature, to share their results. There is a need for government and industry to jointly share the cost and execution of the needed research and development. The government needs to share the security expertise it has with industry as appropriate, and this is an issue that pertains across the energy industry.
Recommendation 6.21: The federal government and the energy industry should together establish appropriate security goals. Building on this alignment, government should cooperate with industry to establish joint security-performance expectations and to define the respective roles and responsibilities of each in ensuring such performance. Industry should design the security measures and procedures needed to achieve the established security goals. Industry also should provide a mechanism to ensure that expectations will be achieved across the spectrum of firms in the industry.
Ayres, Drummond. 2001. “Energy Chief Issues an Ultimatum on Power Lines,” Civil Engineering, December.
Badolato, Ed. Energy and Terrorism, forthcoming book to be published in 2002.